It works in that way: when malicious file is found CCE looks up in the registry for keys connected with that file. CCE doesn't have signatures of malicious registry keys, it just marks these keys that are connected with infected file. (mostly autorun keys)